logo wide 2000x350
Imagine you have spent several years building a successful interactive business website with hundreds of thousands and even millions of visitors. Your entire business and family income depends on this website working correctly. Now imagine that site being taken down by hackers or by your competition. The only thing displayed on the front end of your website and the back end of your website is the white screen of death and perhaps a “500 error.” No way to log into the Joomla administrator panel. No way for you or your customers to view any page that you have created.

Even worse, you go to your hosting account to try to fix this mess with your Cpanel File Manager and Database manager only to discover that your hosting account has been hacked, your Cpanel account has been hacked and all of the back ups you have made for your websites have been deleted. There may still be ways to repair your websites – which we will discuss towards the end of this article. But an ounce of prevention is worth a pound of cure. We will therefore review what website security really means.

If there is even going to be a free and independent Internet in the future, we as website owners and builders need to radically change the way we think about website security. Gone are the days when hackers were just a few young kids getting their kicks by defacing and destroying a few websites. Today, hacking has become a big multibillion dollar business. Hackers now use highly complex programs to take over thousands of websites in a single attack. The hackers then either demand a “ransom” of thousands of dollars to restore your website (which you can never really trust again even if you do pay up and get it back). Or the hackers use the computing power and data of these hacked websites to attack and bring down even more websites.

01

This course, book and website, Create Your Own Interactive Website explains how to create a safe and secure Joomla website that you can use for any purpose. Our following books explain how to add to this foundational website to create an independent news website (Create Your Own News Website), how to create your own online network (Create Your Own Community Network) and how to create your own online business (Create Your Own Online Store) and how to create your own online course (Create Your Own Online Course). What all of these courses have in common is that they are increasing your power to communicate with others and organize with others. However, those that currently control our economic and political systems do not want us to communicate with each other.

Why New Interactive Websites are a Threat to the Status Quo

New online stores are a threat to the corporate monopoly of Amazon. Courses that teacher folks how to build their own Linux computers are a threat to the corporate monopoly of Microsoft. Independent news websites are a threat to the corporate controlled media. Bottom up community based social networks are a threat to the top down control of corrupt corporate funded political leaders. It is therefore natural that monopolies such as Microsoft, Facebook, Google and Amazon along with Wall Street bankers and even our own government have worked to create a system to keep the Internet in check and take down any websites that present a threat to the establishment.

Even if you do not plan to build a controversial website, your website will certainly will be caught in the cross fire in the billionaires war on the people. I have about 20 Joomla websites on various courses I teach. I have hacker monitoring tools attached to each of them. I therefore am able to say with confidence that each of them are attacked on a daily basis. So if you build either a Wordpress or Joomla website, you will certainly be attacked. It is not a question of if, but more a question of when. The answer to that question is that the attacks will likely start happening in the first 24 hours after you go online. Thus, it is essential to know what steps to take in the first few hours after starting your website.

In 2013, Edward Snowden revealed that the NSA has teams of tens of thousands of website hackers (about 30,000 working directly for the NSA). Some of the documents he revealed confirm that the NSA spends three dollars hiring outside corporate hackers for every dollar they spend in house (for example Edward Snowden worked for an NSA contractor called Booz Allen). This brings the hacker total to 120,000. Tens of thousands of young kids in the US military are also being trained as hackers by the NSA in what it calls its Cyber Warfare training program. This brings the total number of hackers being trained by our own government to more than 200,000. While our corporate media likes to blame Russia or China for Cyber Warfare, the truth is that the hacker training budget of the US government is ten times larger than the Cyber Warfare budget of the rest of the world combined. When your website is attacked, the odds are ten to one that it was attacked by someone trained by the NSA. Here is a 26 minute video showing the NSA “Red Cell” training other branches of the military how to hack websites:https://www.youtube.com/watch?v=HnnvVnsDCGw

02

Don’t get me wrong. I am sure that our websites could occasionally be attacked by Russians and the Chinese. But when the NSA trains tens of thousands of young Americans in the Army and Navy how to attack websites and then these young men cannot find jobs after they get out of the Army, we should expect at least some of them to form teams and use the skills they learned from the NSA to attack the easiest local targets – us.

One way you can determine who is attacking you is by installing free Joomla tools that tell you the IP address of the server each attack is coming from. You can then look up the City and State where the server is located. Lately, the largest number of attacks on my websites have been coming from thousands of servers in Ukraine. But here is the problem. Each server is an actual computer that costs thousands of dollars. Who in Ukraine has the millions of dollars needed to buy all of these computers? Why would anyone in Ukraine want to attack massive numbers of websites in the US? It is not merely the cost of the servers, but also the cost of buildings to house the servers, staff to maintain the servers and electricity to run the servers. Then there is the cost to pay programmers to write the malicious code.

Who has this kind of money to pay for hundreds of attacks on my little websites? The one cyber warfare group with an unlimited amount of money to spend on servers is the US military cyber warfare group – also known as the NSA. They either have an entire server farm in central Ukraine (which maybe they do). Or more likely, the servers are in the US and the NSA is somehow bouncing signals off of satellites to fool people into thinking they are being attacked by thousands of Ukrainians. Either way, we as website owners are being attacked by the largest best trained cyber warfare teams in the world.

Downdetector.com.monitors the attacks and downed servers of major corporations in real time. Each day more than 20 major corporations experience major attacks.

http://downdetector.com/archive/

03

This website also provides maps of where these attacks occur. Here is a map of the attacks on October 21 2016.

http://www.nytimes.com/2016/10/22/business/internet-problems-attack.html?_r=0

04

A 2015 RAND Report found that 80 percent of all cyber attacks are committed by “highly organized crime rings” - not individuals. Cyber crime rings are not manned by youngsters; they employ highly experienced developers with deep knowledge that allows them to bring constant innovation into malware and attack tactics. Thus, according to the RAND report, the average age of a cybercriminal is 35 years old. Additionally, 80 percent of black-hat hackers are affiliated with organized crime, working as part of closed groups. Below is a diagram of the structure of these cyber crime rings.

http://www.rand.org/content/dam/rand/pubs/research_reports/RR600/RR610/RAND_RR610.pdf

05
On February 16 2015, one of the world’s leading security firms, Kaspersky released a report on what it called the “Death Star of the Malware Galaxy”

https://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/

https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf

It described a group it called the Equation group which was infecting computers and websites all over the planet. The report noted that the techniques being used were linked to techniques and malware programs previously developed and used by the NSA including the Flame and Stutnex viruses which the US used to attack Iranian computers.

“All the malware we have collected so far is designed to work on Microsoft’s Windows operating system. The malware callbacks are consistent with the DOUBLEFANTASY schema, which normally injects into the system browser (for instance, Internet Explorer on Windows)… The Equation group uses a vast infrastructure that includes more than 300 domains and more than 100 servers.”

Meanwhile, on December 14 2016, Yahoo admitted that the data from one billion accounts was stolen in August 2013.
https://threatpost.com/yahoo-discloses-data-from-1-billion-accounts-stolen-in-2013/122520/

06


Yahoo blamed sophisticated “state actors” of which the largest in the world by far is the NSA. The state actor was able to use forged Yahoo cookies to access the accounts as if the state actor was Yahoo.

One of the documents exposed by Snowden was a 2007 NSA job posting document in which the NSA actively solicited hackers to go to work for the NSA. The trainees will be taught how to “develop an attackers mindset.”
http://www.spiegel.de/media/media-35661.pdf

07
We as single website owners have no chance - working only on our own - to fight off these well trained, highly paid teams of thousands of hackers. We therefore need to stop thinking of our goal as merely protecting our individual websites and instead start acting to protect ALL of our websites. Instead of seeing ourselves as individuals, we need to build a community that has long term SECURITY FOR ALL as a higher goal than short term corporate profit. It is significant that the term “Joomla” means “All Together.” We need community not just to create our websites but also to protect them.

This is no different than what happened during the US Revolutionary War. Individual colonists were being attacked by a wealthy king, a corporate monopoly and the largest army in the world. The colonists banded together to defend the rights of ALL Americans and eventually overcame great odds to defeat the British king and establish our Constitution and Bill of Rights. We are in a similar war today – but the weapons are much more complex and therefore harder to see. I will use the Linux community and the Joomla community to illustrate how safety comes from working together and building a community.

Linux versus Microsoft Windows
In my website, Learn Linux and Libre Office, I explain that any computer running the Windows operating system is not secure and can never be made secure. For those who do not have time to read the entire book, there are basically three design flaws of the Windows operating system. First, to make sure that the computer can “call home” whenever Microsoft wants, they place the web browser inside of the core of the operating system. Second, to maintain control over the computer even if someone tries to replace the Windows operating system, they add a kill switch Start Up program called UEFI. Third, to make sure the public cannot see how their Windows computers are controlled by Microsoft, they encrypt all of the programming to hide it from the public. All of this is done in the name of corporate control to maintain hundreds of billions of dollars in Microsoft profits.

By contrast, Linux is not a for profit corporation but a community of computer users who want safe dependable computers. Because there is no need to maintain control, there is no need to place the web browser inside of the operating system. There is also no need to encrypt the code. In fact, allowing everyone to see the code helps confirm that the code has no malicious features. As an alternative to UEFI, the Linux community developed the free open source Coreboot program. You can read more about the safety benefits of this program on our website Learn Linux and Libre Office. But the bottom line is that when you build a website, you should do it with a Linux computer using the Coreboot Start up program. Using Windows will leave your website open to attack. Even using an Apple computer will leave your website open to attack because they are also a corporate partner of the NSA Prism program as confirmed by the following slide leaked by Edward Snowden. The following slide confirms that Microsoft joined the NSA Data Collection Program in 2007 and Apple joined in 2012.

08

These nine corporate Prism Partners are paid hundreds of millions of dollars to assist the NSA (along with hundreds of other for-profit corporations). Note that Linux is not on this list. The NSA did try to recruit the leaders of Linux. But the bottom up community driven rather than profit driven structure of Linux protected it and protects all of us who use Linux computers. Sadly, billions of people still use Windows and Apple computers. They do this because it is more convenient than taking the time to learn how to build and use a Linux computer. They are placing short term convenience above long term freedom and mutual security. The good news is that using Linux is now much easier than it was in the past – in many ways much easier than using Windows or Apple. As more people discover this, we will someday reach a tipping point where everyone will insist on using Linux – not just for building websites – but for everything they need to do on their computer.

09


Joomla versus Wordpress
There are about 30 million active Joomla websites and three times that many active Wordpress websites. As with Microsoft computers, people use Wordpress because it is “easier.” This is despite the fact that Joomla has many benefits over Wordpress. We describe these benefits in the following article.
https://createyourowninteractivewebsite.com/1-start-here/1-1-why-joomla-is-better-than-wordpress

However, the biggest benefit of Joomla over Wordpress is that it is much more secure. During the past four years, Wordpress has had many more major security problems than Joomla. In 2016, Wordpress had five times more security problems than Joomla.

10


Sources:

http://www.cvedetails.com/product/4096/Wordpress-Wordpress.html?vendor_id=2337
https://www.cvedetails.com/vendor/3496/Joomla.html


A more recent and detailed study confirmed that Wordpress actually had 122 major security problems in 2015. Wordpress version 4.1 had 30 problems, version 4.2 had 40 problems and version 4.3 had 52 major problems for a total of 122 major security problems just in 2015 – or about ten times the number of Joomla security problems. Compiled from the following data:

https://wpvulndb.com/
https://www.keycdn.com/blog/wordpress-security/


Wordpress also fails to use random prefixes on their database names making them easier for hackers to attack. By contrast, Joomla has been using random prefixes for more than 6 years.Wordpress also does not allow us to change our Usernames without accessing the database. Joomla allows us to easily change our user name in the dashboard – which is important for security reasons we will explain in more detail later. In addition to problems with the Wordpress core, many of its most popular plugins were found to have major security problems including Jetpack, Yoast and WP E Commerce.

https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html

While most of these security problems can be fixed by updating Wordpress and its plugins, the majority of Wordpress site owners never update their sites which is why over 73% of all Wordpress websites are not secure – making them easy targets for hackers.

https://www.wpwhitesecurity.com/wordpress-security-news-updates/statistics-70-percent-wordpress-installations-vulnerable/

As a result, millions of Wordpress sites are attacked and successfully hacked every year. As just one example, in December 2014, the security team at Sucuri discovered hundreds of thousands of WordPress sites were hit with the SoakSoak.ru malware virus, resulting in more than 11,000 domains being blacklisted by Google.

https://blog.sucuri.net/2014/12/soaksoak-malware-compromises-100000-wordpress-websites.html

The people harmed are not merely the website owners. Also in 2014, supposedly Russian hackers stole account information of 800,000 customers from 5 leading US banks. The following article went into detail about how the hackers got the account information from so many people: “First, they compromise a large number of websites that run the WordPress, and install malicious code. When a user visits one of the compromised WordPress sites, that code exploit vulnerabilities in their browser to install the attacker's malware. The malware can be used to steal data stored on the PC, intercept online banking credentials, install more malware, and turn the PC into a proxy server for attackers. The entire operation is highly automated, beginning with hacking into servers that run WordPress.”

http://www.databreachtoday.com/hackers-grab-800000-banking-credentials-a-7416?webSyncID=9b470078-8bdc-5680-b9c0-a66b69564b83&sessionGUID=70da133e-6096-822a-c99e-811036285c82

Put in plain English, not only do people running Wordpress sites risk having their websites hacked, they also risk having anyone who visits their site having their computer hacked (especially if it is a Windows computer).

In 2015, millions of Wordpress websites were attacked through a vulnerability in their Comments plugin. Here is a quote: “They allow an attacker to inject code into the HTML content received by administrators who maintain the website. Both attacks work by embedding malicious code into the comments section that appear by default at the bottom of a WordPress blog or article post. From there, attackers can change passwords, add new administrators, or take just about any other action legitimate administrators can perform… The exploit works by posting some simple JavaScript code as a comment and then adding a massive amount of text—about 66,000 characters or more than 64 kilobytes worth. Once the comment is processed by someone logged in with WordPress administrator rights to the site, the malicious code will be executed with no outward indication that an attack is under way. By default, WordPress doesn't automatically publish comments to a post unless the user has already been approved by an administrator. Attackers can work around this limitation by posting a benign comment that gets approved. By default, subsequent comments from that person will be automatically approved and published to the same post.

2016 was also a very bad year for Wordpress. On June 2, 2016, more than 10,000 Wordpress websites were infected through a plugin called Wordpress Mobile Detector.

11

Then in December 2016, a Wordpress Security firm called Wordfence posted an article describing a free tool available on the Internet that was designed specifically to attack Wordpress websites.
https://www.wordfence.com/blog/2016/12/russia-malware-ip-hack


The authors easily obtained the PHP script from this download link:
http://profexer.name/pas/download.php

12

The latest version of this hacking program, which is intended to hack Wordpress websites, is version 4.1.1. Here is what the control panel of this hacking program looks like:

13

This free and handy open source hacking program includes a file browser, a file search function, a database to download the contents of a hacked Wordpress website database, a scanner, a tool to view server configuration files and a tool to brute force attack passwords.

Here is a quote from the article: “We found a total of 385 active IP addresses during the last 60 days that were attacking our Wordpress websites. These IP addresses have launched a total of 21,095,492 database attacks during that 60 day period that were blocked by the Wordfence firewall. We also logged a total of 14,463,133 brute force attacks from these same IP addresses during the same 60 day period.  A brute force attack is a login guessing attack.”

Put in plain English, there were a total of 35 million attacks on Wordpress websites served by Wordfence in the past 60 days. The Wordfence Home page notes that 22 million people have downloaded Wordfence. This is about 20 percent of total Wordpress downloads. So if we multiple 35 million times 5 we get 175 million attacks on Wordpress websites every 60 days. Divide 175 million by 60 and we estimate there are 3 million attacks on Wordpress websites every day! While Wordfence has a free version, to get country blocking you need to pay them $99 per year. Or you could build a Joomla website and just add the free tools we recommend in the next section.

Top Down Corporate Structure versus Bottom Up Communities
The biggest security advantage of Joomla over Wordpress is that Joomla is a bottom up community while Wordpress is really a billion dollar top down for profit corporation called Automattic which is run and controlled by a small group of people. Automattic has been given more than $300 million by various investors. This puts Wordpress in the same league has Microsoft, Google, Facebook and Amazon who also received hundreds of millions in financing.
https://en.wikipedia.org/wiki/Automattic

By contrast, Joomla is a true bottom up community that is lead by a non-profit elected group called Open Source Matters. Their key values are freedom, equality, trust, community, collaboration and usability. While the community has millions of members and thousands of developers, the Open Source Matters leadership team has an annual budget of less than $500,000. The leadership team is elected by the community members and consists of the community members.
http://opensourcematters.org/about/organization/mission-vision-and-values.html

The Linux and Joomla communities have proven that they are more likely to catch and correct coding errors than top down profit driven corporations. But equally important, they both include safety features that simply do not exist in the corporate alternatives. A good example is the Joomla Access Control System. This allows you as the website owner to create your own custom groups and then decide which members of your community are allowed to access various parts of the front end and/or back end of your website. This is one of a dozen important safety features that are completely missing in Wordpress.

14


Things are about to get much worse
More than 317 million new computer viruses were created in 2014. Since then, the number of new attacks have gone up, meaning that more than one million new threats are released every day.
http://money.cnn.com/2015/04/14/technology/security/cyber-attack-hacks-security/

But as bad as the website security problem is now, things are about to get much worse. Here’s why: In 2013, the NSA/CIA gave Amazon, owned by Jeff Bezos, a $600 million “cloud computing contract” - as if the NSA and CIA do not have enough computers of their own. Snowden documents revealed that the NSA spends at least $60 billion per year.
http://www.theatlantic.com/technology/archive/2014/07/the-details-about-the-cias-deal-with-amazon/374632/


IBM held up the deal for a year protesting to government regulators that they could have provided the Cloud computing for much less. Given all the security problems that the Amazon Cloud has had, one has to question the sanity of the NSA/CIA – unless $600 million was really for something much more sinister.

Then in late 2013, Bezos announced buying the Washington Post for $250 million – despite the fact that the Washington Post had suffered from declining readership and had been losing money for years. Even Amazon only made $7 million in profit the previous year. So where did Bezos get the $250 million and why did he want to buy the Washington Post?

Flash forward to November 24 2016. The Washington Post published a shocking story concocted by the anonymous CIA sources that Russian hackers were responsible for the Wikileaks Clinton email disclosures that may have been a factor in Clinton losing the Presidential election. Wikileaks had denied this claim stating flatly that the emails were leaked from Clinton insiders.

To add insult to injury, the Washington Post published a story from a website called Propornot which claimed that 200 alternative and independent news websites were being controlled by the Russians. The list included some of the most reputable alternative news websites in the nation such as Consortium News and Truthdig. The Truthdig editor Robert Scheer has interviewed every US President since Jimmy Carter. The editor of Consortium News, Robert Parry helped expose the Iran Contra scandal. We are also suppose to believe that former Congressman Ron Paul is a Russian spy.

Despite the fact that the Washington Post offered absolutely no evidence for any of its allegations, this story was used by Congress a few days later to pass a bill authorizing $160 million to take down these “fake news” websites and fight the imagined Russian propaganda.

On December 8 2016, reporter Dave Linderoff explained that the Washington Post story had actually been concocted by a US military cyber warfare expert.
http://fair.org/home/rather-than-exposing-propaganda-wapo-shows-how-its-done/

But the real story is that the bill to go after independent news websites was submitted to Congress in March 2016 – seven months before the election – and it was based on meetings that occurred in January 2016 – ten months before the election. So the Russian hacking story had been in the works long before the election and long before Wikileaks published the Clinton emails.

What will the extra $160 million granted by Congress be used for? Here is a clue. On December 1 2016, Federal Rule 41 was revised without a vote of Congress to make it much easier for the FBI to hack into computers and take down websites in the US. In the past, the FBI had to go to a local federal judge before taking down a website. Under the new Rule 41, the FBI does not have to go to a local judge. They can go to any one of 500 federal judges to hack into any computer and/or take down any website in the US. As the digital rights group Electronic Frontier Foundation (EFF) warned: “These changes to Rule 41 will result in a dramatic increase in government hacking… A single judge will be able to grant a warrant to hack a million or more computers.”
https://noglobalwarrants.org/

The term “computers” does not merely refer to private or personal computers but also to servers that host websites. A single server can host more than 1000 websites. So hacking one million computers can mean hacking one billion websites. In short, we were already being subjected to hacking on a massive scale by the NSA and their friends. Now the NSA/FBI have been given a blank check to expand these attacks.

This is why we need to take every possible precaution to protect our websites. These security measures must go well beyond merely moving our website to Canadian servers (as we described in the last chapter). They even go well beyond using Linux computers to post to our websites (as we described in a previous book). In the next section, we will provide an overview of the first ten steps we should taker to protect our websites.